《GNU Taler系统：实用且安全的电子支付》的博士学位论文

0博士学位论文0雷恩第一大学0布列塔尼洛瓦尔大学0第601号数学与信息通信技术研究生院，专业：计算机科学0《GNUTaler系统》《实用且可证明安全的电子支付》博士论文，于2019年2月25日在Rennes提交和答辩，研究单位：Inria，论文编号：1958970Florian DOLD0答辩前评审人：Philip ROGAWAY，加利福尼亚大学戴维斯分校教授0Sarah MEIKLEJOHN，伦敦大学学院教授0评审委员会成员：0主席：Alan SCHMITT0评审人：Philip ROGAWAY，加利福尼亚大学戴维斯分校教授0Sarah MEIKLEJOHN，伦敦大学学院教授0Inria Rennes研究员0Alex PENTLAND0麻省理工学院教授0指导教师：Christian GROTHOFF，伯尔尼应用科学大学教授0博士论文联合指导：Jean-Louis LANET，研究主任，Inria s’accorde sur un (Super-)ensemble d’éléments à la fois, au lieu d’accepter en séquence les éléments individuels sur un ensemble. Byzantine Set consensus peut être utilisé comme composante de base pour des chaînes de blocs de permissions, où (à l’instar du style Nakamoto consensus) des blocs entiers d’opérations sont convenus à la fois d’augmenter le taux d’opération.0标题：GNU Taler系统：实用且安全的电子支付。0关键词：电子货币，密码学，安全性，分布式系统，实际应用0摘要：0新的网络和加密协议可以极大地改善支付系统。0改进支付系统。0本论文涉及GNUTaler的设计、实施和安全分析，GNUTaler是一种尊重隐私的支付系统，旨在作为在线（微）支付的实用方法，并同时具有社会和道德责任。0负责任。0GNU Taler的技术基础可以追溯到DavidChaum的电子现金。我们的工作超越了Chaum的电子0有效的变化，以及确保商家只有在其支付收入对税务机关可见时才能可靠地从不可靠的付款人那里收到付款的新收入透明度概念。0通过引入更新协议实现收入透明度，从而实现部分花费令牌的匿名更改，而无需引入逃税漏洞。此外，我们证明了我们的电子现金收入透明度的可证明安全性，该安全性不仅涉及常规匿名性和不可伪造的电子现金属性。0以及电子现金的不可伪造性。0正式保护资金和0收入透明度。0我们实现的GNUTaler可供非专业用户使用，并与现代Web架构集成。我们的支付平台解决了一系列实际问题，如为客户提供咨询、退款方式、与银行和“了解您的客户（KYC）”支票的集成，以及平台的安全性和可靠性要求。在单台机器上，我们实现了与全球商业信用卡处理器相媲美的交易速度。0全球商业信用卡处理器。0在比特币等基于工作证明的加密货币需要扩展以替代现有支付系统之际，基于传统共识算法的更高效的区块链系统可能在金融领域有着潜在应用。我们致力于设计、实施和分析拜占庭集合联合共识（Byzantine Set UnionConsensus）协议，这是一种拜占庭共识协议。 Title: The GNU Taler System: Practical and Provably Secure Electronic PaymentsKeywords: Electronic Cash, Cryptography, Security, Distributed Systems, Practical Applications Abstract: We describe the design and implementation of GNU Taler, an electronic payment system based on an extension of Chaumian online e-cash with efficient change. In addition to anonymity for customers, it provides the novel notion of income transparency, which guarantees that merchants can reliably receive a payment from an untrusted payer only when their income from the payment is visible to tax authorities.Income transparency is achieved by the introduction of a refresh protocol, which gives anonymous change for a partially spent coin without introducing a tax evasion loophole. In addition to income transparency, the refresh protocol can be used to implement Camenisch-style atomic swaps, and to preserve anonymity in the presence of protocol aborts and crash faults with data loss by participants.Furthermore, we show the provable security of our income-transparent anonymous e-cash, which, in addition to the usual anonymity and unforgeability properties of e-cash, also formally models conservation of funds and income transparency.Our implementation of GNU Taler is usable by non-expert users and integrates with the modern Web architecture. Our payment platform addresses a range of practical issues, such as tipping customers, providing refunds, integrating with banks and know-your-customer (KYC) checks, as well as Web platform securityand reliability requirements.On a single machine, we achieve transaction rates that rival those of global, commercial credit card processors.We increase the robustness of the exchange—the component that keeps bank money in escrow in exchange for e-cash—by adding an auditor component, which verifies the correct operation of the system and allows to detect a compromise or misbehavior of the exchange early.Just like bank accounts have reason to exist besides bank notes, e-cash only serves as part of a whole payment system stack. Distributed ledgers have recently gained immense popularity as potential replacement for parts of the traditional financial industry. While cryptocurrencies based on proof-of-work such as Bitcoin have yet to scale to be useful as a replacement for established payment systems,other more efficient systems based on blockchains with more classical consensusalgorithms might still have promising applications in the financial industry.We design, implement and analyze the performance of Byzantine Set Union Consensus (BSC), a Byzantine consensus protocol that agrees on a (super-)set of elements at once, instead of sequentially agreeing on the individual elements of a set. While BSC is interesting in itself, it can also be used as a building block for permissioned blockchains, where—just like in Nakamoto-style consensus—whole blocks of transactions are agreed upon at once, increasing the transaction rate.AcknowledgementsI would like to thank Moritz Bartl for helping with the funding for this thesis.Bruno Haible provided generous support for the GNU Taler team to visit meetingsof the W3C’s Web Payment Working Group. I also thank Ashoka, the Tor projectand the Donaukurier for their support.This work benefits from the financial support of the Brittany Region (ARED9174) and the Renewable Freedom Foundation (RFF).I want to thank Inria and my team leader Axel Legay for hosting me duringthe work on my thesis, and Jean-Louis Lanet for agreeing to co-advise my thesis.Special thanks goes to Thomas Given-Wilson, Fabrizio Biondi, Laurent Morinand Nisrine Jafri for their support and company.I also thank the Bern University of Applied Sciences for providing the hardwarethat was using during experiments.Thanks to Marcello Stanisci for his work as an engineer on the GNU Talerproject.Chapter 5 is based on work published in the EURASIP Journal on WirelessCommunications and Networking in collaboration with Christian Grothoff. Partsof Chapter 4 have been published in collaboration with Jeff Burdges, ChristianGrothoff and Marcello Stanisci at SPACE 2016.Thanks to Cristina Onete and Jeff Burdges for their collaboration on the prov-able security of GNU Taler.I am grateful to the GNU project, in particular Richard Stallman, for theirsupport of this project. I also thank all GNUnet developers and GNU Guixdevelopers, especially Hartmut Goebel, Nils Gillmann, Gabor Toth, LudovicCourtès and Andreas Enge.Thanks to the Taler Systems business team, in particular Leon Schumacher andMichael Widmer, for their continuous faith in the project.I thank my advisor Christian Grothoff for his advice and friendship.Last but not least I’d like to thank my parents, my oldest friends Tom and Benand my fiancée Vaish for their relentless support even during the most difficulttimes.vContents1. Introduction11.1.Design Goals for GNU Taler . . . . . . . . . . . . . . . . . . . . . . .21.2.Features of Value-based Payment Systems. . . . . . . . . . . . . .41.2.1.Offline vs Online Payments . . . . . . . . . . . . . . . . . . .41.2.2.Change and Divisibility . . . . . . . . . . . . . . . . . . . . .51.2.3.Anonymity Control. . . . . . . . . . . . . . . . . . . . . . .61.2.4.User Suspension. . . . . . . . . . . . . . . . . . . . . . . . .61.2.5.Transferability . . . . . . . . . . . . . . . . . . . . . . . . . . .61.2.6.Atomic Swaps . . . . . . . . . . . . . . . . . . . . . . . . . . .71.2.7.Refunds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71.3.User Experience and Performance . . . . . . . . . . . . . . . . . . .71.4.The Technical Foundation: Anonymous E-Cash. . . . . . . . . . .81.5.Distributed Ledgers . . . . . . . . . . . . . . . . . . . . . . . . . . . .131.5.1.Consensus in Decentralized Blockchains. . . . . . . . . . .131.5.2.Permissioned Blockchains . . . . . . . . . . . . . . . . . . . .141.5.3.Blockchains and GNU Taler . . . . . . . . . . . . . . . . . . .141.6.Key Contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . .151.7.Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162. GNU Taler, an Income-Transparent Anonymous E-Cash System172.1.Design of GNU Taler . . . . . . . . . . . . . . . . . . . . . . . . . . .172.1.1.Entities and Trust Model. . . . . . . . . . . . . . . . . . . .172.1.2.System Assumptions . . . . . . . . . . . . . . . . . . . . . . .182.1.3.Reserves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192.1.4.Coins and Denominations . . . . . . . . . . . . . . . . . . . .202.1.5.Partial Spending and Unlinkable Change . . . . . . . . . . .212.1.6.Refreshing and Taxability . . . . . . . . . . . . . . . . . . . .212.1.7.Transactions vs. Sharing . . . . . . . . . . . . . . . . . . . . .222.1.8.Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . .222.1.9.Refunds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232.1.10. Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232.1.11. The Withdraw Loophole and Tipping . . . . . . . . . . . . .232.2.Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242.2.1.Exchange Compromise Modes . . . . . . . . . . . . . . . . .252.2.2.Cryptographic Proof . . . . . . . . . . . . . . . . . . . . . . .282.2.3.Perfect Crime Scenarios . . . . . . . . . . . . . . . . . . . . .28viiContents2.3.Related Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292.3.1.Anonymous E-Cash . . . . . . . . . . . . . . . . . . . . . . .292.3.2.Blockchains . . . . . . . . . . . . . . . . . . . . . . . . . . . .332.3.3.Approaches to Micropayments . . . . . . . . . . . . . . . . .352.3.4.Walled Garden Payment Systems. . . . . . . . . . . . . . .372.3.5.Web Integration . . . . . . . . . . . . . . . . . . . . . . . . . .373. Security of Income-Transparent Anonymous E-Cash413.1.Introduction to Provable Security . . . . . . . . . . . . . . . . . . . .413.1.1.Algorithms, Oracles and Games . . . . . . . . . . . . . . . .423.1.2.Assumptions, Reductions and Game Hopping . . . . . . . .453.1.3.Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463.2.Model and Syntax for Taler . . . . . . . . . . . . . . . . . . . . . . .463.2.1.Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . .483.2.2.Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513.3.Games. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543.3.1.Anonymity. . . . . . . . . . . . . . . . . . . . . . . . . . . .543.3.2.Conservation. . . . . . . . . . . . . . . . . . . . . . . . . . .553.3.3.Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . .563.3.4.Income Transparency. . . . . . . . . . . . . . . . . . . . . .563.4.Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . .573.5.Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583.5.1.Generic Instantiation . . . . . . . . . . . . . . . . . . . . . . .583.5.2.Concrete Instantiation . . . . . . . . . . . . . . . . . . . . . .643.6.Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643.6.1.Anonymity. . . . . . . . . . . . . . . . . . . . . . . . . . . .643.6.2.Conservation. . . . . . . . . . . . . . . . . . . . . . . . . . .663.6.3.Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . .673.6.4.Income Transparency. . . . . . . . . . . . . . . . . . . . . .673.7.Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .693.7.1.Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . .693.7.2.Other Properties. . . . . . . . . . . . . . . . . . . . . . . . .704. Implementation of GNU Taler734.1.Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .754.1.1.Taler APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .764.1.2.Cryptographic Algorithms. . . . . . . . . . . . . . . . . . .764.1.3.Entities and Public Key Infrastructure . . . . . . . . . . . . .774.1.4.Payments. . . . . . . . . . . . . . . . . . . . . . . . . . . . .804.1.5.Resource-based Web Payments . . . . . . . . . . . . . . . . .844.1.6.Session-bound Payments and Sharing . . . . . . . . . . . . .864.1.7.Embedded Content . . . . . . . . . . . . . . . . . . . . . . . .874.1.8.Contract Terms . . . . . . . . . . . . . . . . . . . . . . . . . .884.1.9.Refunds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89viiiContents4.1.10. Tipping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .894.2.Bank Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .904.2.1.Wire Method Identifiers . . . . . . . . . . . . . . . . . . . . .9004.2.2.演示银行。9104.2.3. EBICS和SEPA。9204.2.4.区块链集成。9204.3.交换。9204.4.审计员。9404.5.商家后端。9504.5.1.处理付款。9604.5.2.后台API。9704.5.3.示例商家前端。9704.6.钱包。9904.6.1.优化。10004.6.2.硬币选择。10004.6.3.钱包检测。10004.6.4.备份和同步。10104.6.5.钱包清算。10104.6.6.钱包信号。10204.7.加密协议。103 4.7.1.初步。10304.7.2.撤回。10404.7.3.付款交易。10604.7.4.刷新和链接。10704.7.5.退款。11404.8.实验结果。116 4.8.1.硬件设置。11704.8.2.每笔交易的硬币。11704.8.3.交易速率和可扩展性。12004.8.4.延迟。12104.9.当前限制和未来改进。12205.拜占庭集合联合共识12505.1.介绍。12505.2.背景。12605.2.1. FLP不可能性结果。12705.2.2.部分同步模型中的拜占庭共识。12805.2.3. Gradecast。12905.2.4.拜占庭共识。13005.2.5.集合协调。13005.3.我们的方法。133 5.3.1.定义。13305.3.2.拜占庭集合联合共识（BSC）协议。1340ix5.4.Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1395.4.1.The GNUnet Framework. . . . . . . . . . . . . . . . . . . . 1395.4.2.Set Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . 1395.4.3.Set-Union Consensus. . . . . . . . . . . . . . . . . . . . . . 1405.4.4.Evaluating Malicious Behavior . . . . . . . . . . . . . . . . . 1415.5.Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 1415.5.1.Bounded Set Reconciliation . . . . . . . . . . . . . . . . . . . 1425.5.2.Byzantine Set Consensus. . . . . . . . . . . . . . . . . . . . 1465.6.Opportunities for Further Improving BSC . . . . . . . . . . . . . . . 1495.6.1.Extension to Partial Synchrony . . . . . . . . . . . . . . . . . 1495.6.2.Persistent Data Structures . . . . . . . . . . . . . . . . . . . . 1505.6.3.Fast Dissemination . . . . . . . . . . . . . . . . . . . . . . . . 1505.7.Application to SMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1505.7.1.Bulletin Board for Electronic Voting . . . . . . . . . . . . . . 1515.7.2.Distributed Threshold Key Generation and CooperativeDecryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1525.7.3.Electronic Voting with Homomorphic Encryption . . . . . . 1535.7.4.Other Applications of BSC. . . . . . . . . . . . . . . . . . . 1545.8.Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546. Future Work1557. Conclusion1577.1.Cryptocurrencies vs. Central-Bank-Issued Currencies . . . . . . . . 1577.2.Electronic Payments. . . . . . . . . . . . . . . . . . . . . . . . . . . 158Bibliography161A. Résumé en Français179B. dold-draft-payto185C. Coin Spending Simulation195x0内容List of Figures1.1.The user is prompted to install the wallet. . . . . . . . . . . . . . . .81.2.The wallet popup shows an empty balance. . . . . . . . . . . . . . .81.3.The bank asks for login details. . . . . . . . . . . . . . . . . . . . . .91.4.Account page of the demo bank. . . . . . . . . . . . . . . . . . . . .91.5.Exchange selection dialog in the wallet. . . . . . . . . . . . . . . . .91.6.PIN/TAN dialog of the demo bank. . . . . . . . . . . . . . . . . . .101.7.After a successful withdrawal, the balance is shown in the wallet. .101.8.Landing page of a store that sells essays.. .